Access reviews fail when they’re manual, slow, and unactionable. Here’s a playbook for evidence‑first identity reviews that teams don’t hate.
Principles
- Least privilege is a direction, not a one‑time event.
- Evidence beats opinion: show what a role can do, not just what it’s called.
- Make offboarding boring: standardize the “goodbye.”
Steps
- Centralize identities (AWS IAM Identity Center) and require MFA.
- Role clarity: short role catalog with purpose, owner, and allowed actions.
- Review cadence: quarterly for admins, semi‑annual for contributor roles.
- Automate inputs: export principals, last‑used metrics, and effective permissions.
- Tighten: remove unused roles, break up “kitchen sink” policies, add alerts for admin elevation.
Evidence to Keep
- Role catalog (Markdown/CSV)
- Last‑used permissions report
- Tickets confirming removals & approvals
Result
- Faster reviews, fewer exceptions, simpler audits.
Resources & Evidence
- Case Study: AWS Account Governance → https://doneal78.github.io/grc_portfolio/projects/aws-account-governance/?utm_source=devto&utm_medium=article&utm_campaign=aws-governance
- Lab: Identity Center & MFA → https://doneal78.github.io/grc_portfolio/labs/aws-account-governance/?utm_source=devto&utm_medium=article&utm_campaign=aws-lab
Top comments (0)